[openssl-dev] cert_cb and TLS tickets
Viktor Dukhovni
openssl-users at dukhovni.org
Fri Dec 9 20:28:17 UTC 2016
On Fri, Dec 09, 2016 at 08:43:01PM +0100, Fedor Indutny wrote:
> During development of one feature for my TLS proxy bud, I have discovered
> that the cert_cb is invoked only for newly generated tickets/sessions. The
> reasoning behind this is clear, but I believe that it is most likely needs
> a revision. Here is my reasoning:
The callback is *correctly* only called when choosing the server
certificate. In *that* case, it is always called. When sessions
are resumed, there is no certificate to present, so no callback is
made.
> Furthermore, with the TLS ticket provided
> application can no longer chose to provide a different certificate in case
> of expiration or revocation.
You can implement a ticket key callback that when appropriate, will
decline tickets under suitable conditions, in which case a full
handshake will be performed.
Custom ticket callbacks that do session ticket key rotation are a
good idea in any case, the default tickets are not rotated, which
is not apppropriate for long-running processes.
--
Viktor.
More information about the openssl-dev
mailing list